Second – My thoughts on who should consider participating in the S4 ICS CTF.

A person with hacking skills, but little experience in ICS. The flags will give you guidance on what an attacker would actually try to do once they can get to an ICS.

A person responsible for defending an ICS. Even if you just spend time understanding the flags you will learn many of the end goals and techniques that will be used against your ICS if an attacker can gain access to it.

A person with great ICS hacking skills. You will find this a challenge and perhaps you can win the S4 Black Badge.

Third – Some tips from Reid for CTF participants:

A successful team will need a variety of skills, including the ability to analyze industrial controls, to basic network scanning, to lockpicking, as well as solving more traditional CTF problems.

Some challenges are purely control systems focused, such as identifying configuration items in controllers or analyzing oddities in ICS protocols. Some of these control systems challenges will have a cyberphysical element — as teams solve the problems, they may want to watch process control equipment to see how their finding helped attack a process. A few of these will involve ICS Foreverday vulnerabilities.

Other challenges involve incident response: analyzing traffic from compromised systems. Bring your traffic analysis hats for these. We even have RF analysis flags. We will have a handful of SDR receivers and will provide hints for how to search for these flags; players want to familiarize themselves with the RTL-SDR prior to coming.

We have been preparing some new and interesting challenges for the S4 CTF this year, and I think that players will have a lot of fun with what we have in the works. We have a number of nice challenges that involve breaking and entering into our ‘Killer Robot Factory’ (players from last year’s CTF may remember a few flags associated with the poor Killer Robots — for all of the pain that they cause humanity, they don’t secure their network very well).

One of last year’s challenges was to find the product order code for a feeder management relay. This relay was used to control a breaker that could disconnect the poor Killer Robots from their electric mains.

While we have a few SEL-751As in our test lab, we though that putting one in harm’s way for the CTF might be a bit of a stretch. Even ‘good’ industrial equipment such as that made by SEL tends not to deal very well with many simultaneous users. That, and if people messed with the equipment, it could be a pain to restore to working condition.

Instead, we built a SEL emulator (or honeypot) in Python using the cmd2 library. The emulator is kind-of-sort-of good, and provides a sort-of-realistic simulation of an SEL relay — enough to trick CTF players, anyway.

A common problem that occurs when you provide an environment or playground is that the sheer number of choices is overwhelming. Providing a network full of PLCs, Historians, and other ICS equipment often results in an interested participant not actually participating at all because there’s no good place to start or no clear path through the petting zoo.

This year at the S4 we are taking a more directed approach. We want all attendees to have clear goals and clear payoffs to exploring and exploiting new technologies and problems. We’re ramping up the CTF this year and making it the primary focus of what was previously called the “ICS Village.” At S4x16 we will have a full-scale professional-grade jeopardy-style ICS-oriented Capture-the-Flag event.

For those unfamiliar with jeopardy-style CTF events: rather than a fully connected network of corporate systems, an ICS DMZ, a control center zone, firewalls, etc. we will have a set of distinct and discrete challenges to be solved within a set of categories. This method is how virtually all CTFs are organized (e.g. DEF CON, CSAW, PPP). We feel it provides a clear and easy path for participants with frequent rewards to encourage diving further. It also makes the logistics and infrastructure easier which means we can facilitate more participants and more complicated and interesting challenges.

Digital Bond, with the help of many excellent volunteers, has worked hard to create an interesting CTF full of ICS challenges that is sure to test everyone from the ICS Novice to the most seasoned PLC Pwning Wizards. Look for a future post revealing categories and other interesting tidbits related to the challenges themselves. The CTF will run the entire length of the conference and a live scoreboard will be projected at the venue to monitor the excitement.

Be sure to register soon for discounted pricing and before all of the spots are taken. The speaker lineup is fantastic but the CTF is going to be amazing (O.K. maybe I’m biased). Thanks to the volunteers and sponsors who have helped create the new and improved S4 CTF. Come on and get your hack on!

Digital Bond is bringing S4 to Tokyo this October, and we are looking for excellent sessions for the two-day event. The event will be held in English and Japanese with simultaneous translation as appropriate. We welcome your session proposals in English or Japanese as well.

OTDay (Tuesday, Oct 14)

SCADA, DCS and other control systems are running mission critical IT networks. Information Technology used in ICS is commonly called Operations Technology (OT). At S4xJapan’s OTDay we are looking for presentations that demonstrate how to apply good IT and IT security practices to OT. It is a very practical day that focuses on real world results that are working.

S4 (Wednesday, Oct 15)

S4 is the one place where researchers can present in technical depth and don’t need to explain SCADASEC 101. You can watch the videos from S4x14 and previous years to see the best in world researchers describe their latest results. At S4xJapan we will highlight the best Japanese ICS security research as well as bring in some new research from around the world.

We are looking for leading and bleeding edge ICS security research, both offensive and defensive. Researchers should propose sessions on new ways to attack and exploit ICS as well as new techniques to detect and stop cyber attacks.

S4xJapan is also the place where your research will get noticed. We will have a select set of Japanese and international press that cover the ICS security beat and are widely read. We also will be recording the session and making it available on our digitalbond.jp site after the event.

Submitting Your Proposal for S4xJapan

It’s simple. Send an email to s4@digitalbond.com with a brief description of your research and the time requested for the presentation. The standard time slot is 30 minutes, but we have a mix of presentations running from 15 minutes to 1 hour.

Some possible topics include vulnerability analysis of ICS protocols, standards, devices and applications; methodologies and results of risk calculations; detecting and preventing attacks on control systems; performance impact of security on control systems; wireless jamming; smart grid security; hardware hacking and whatever else a researcher can identify.

Review and Acceptance

Our sole goal is to put together the best possible program. This is not a peer reviewed, academic conference process. All submissions are reviewed as they come in. The early you submit, the better your chance of getting on the program. If your submission is close to acceptance we may suggest a modification that would be interesting to the S4 audience.

We actively seek out the best research. Please email us if you know of any research that should be at S4xJapan please send us an email to s4@digitalbond.com.

Key Dates

Abstracts Submissions Due: July 18, 2014 (early submission improves odds of acceptance, and you may submit your proposed session in English or Japanese)

Heavily discounted hotel reservations at the Trump International close this Friday. After Friday there is nothing we can do to help you get a great room at a great price. This is your last chance to get a room right on the beach with the other S4 registrants. Click here to go to the Trump International reservation page.

The S4x13 agenda is dominated by strong offensive security presentations with a sprinkling of defense. So we are pleased to add one last defensive security session to the agenda from Dr. Jonathan Butts and Stephen Dunlap of the Air Force Institute of Technology.This presentation introduces a novel approach of using CPU execution data to characterize the nominal operations of a PLC. The technique provides the ability to remotely fingerprint a device and measure characteristics that fluctuate if a change to the firmware or program file occurs. The session will demonstrate how the method can be applied to detect modifications to PLC program files, firmware and communication, as well as search devices for known malware.

We are pleased that Waterfall will return as one of the two sponsors of the Welcome Cocktail Party on Tuesday night. It’s a fun kickoff to S4 as many researchers who know each other well online finally meet face-to-face, and others reacquaint with old friends.

Sponsors are encouraged to deploy systems on the S4 Blue Hat network that will be open Tuesday through Thursday. The goal is to provide an interactive environment for attendees to hack and learn, and we are hoping the sponsors will bring a lot of creativity to this. There will be a winner awarded based on security, innovation, creativity, learning and interaction with S4 attendees — and completely up to the judges discretion. Three S4 attendees will judge the competition.

There are other sponsors in the process of finalizing paperwork. Of course, we would like more, especially those that have something to put on the Blue Hat network. It’s a great way to expose your product to a bunch of free testing and teach people about what you do well if you are sly and make it a creative and fun experience. Sponsor programs begin at $3K and include one S4 registration; contact us if you have any questions.

Two weeks ago we sold out the S4 venue we have used for the first five years. This was not a surprise with last year selling out in mid-December, the increased interest in ICS security and the S4 2013 Agenda. In preparation we came up with a way to double the available size by using two case study rooms and essentially running each day twice. The good news is you will have another 60 ICS security researchers and thought leaders to meet at S4 2013.

But that’s it. When the remaining spots are gone we have no room to expand the event further. If you want to be guarantee your spot at S4 you need to register now. (BTW some of the Advanced ICS Security Classes are near capacity as well.)

UPDATE – Sponsor Blue Hat Competition

We are encouraging all S4 sponsors to put something on the S4 Blue Hat network. This will be available continuously from Tuesday 10AM to Thursday 4PM. S4 attendees will be able to hack and otherwise interact with the devices on the network. It’s a great opportunity to expose security solutions to the S4 attendees.

Honestly, we are not sure how this will work out. We are encouraging sponsors to be creative and provide an interesting and interactive environment for the attendees. They can issue user accounts, provide information, show live or recorded attack information or whatever else comes to mind. We will have three S4 attendees judge the participants on security, innovation, learning, interactivity and whatever else they want to include.

Last week, Dale had difficult conversations regarding cyber security with two vendors. Apparently, that was the week for vendor interactions, as I had one too. My interaction was with a control system component vendor, attempting to explain the premise of my upcoming S4 presentation.

I’ve have been downloading as much automation software as I can over the past few weeks, and running Microsoft’s Attack Surface Analyzer against all of them looking for common vulnerabilities and insecure changes. I plan to present the findings at S4, along with some directions for improvement. Please note, this is much different than attempting to find exploits in the software, my work is to see how the software itself can change the underlying OS to make it less secure. I’ve done ~16 pieces of software thus far, and I’m hoping to include a few more as well.

The control system vendor I ran into made a zip file containing the software available on their website, but required an email to get the password to the zip file. Thinking this was just a formality, I sent in an email explaining the premise of my study. To my surprise, the president of the company responded that they “do not see any value in such a study”, and that their software “is as secure, or as insecure, as others that support OPC Data Access V2.0”.

We have two great new additions to the S4 2013 agenda. Both happen to involve the Siemens WinCC / S7 product family. Loyal blog readers have probably heard recently of Positive Technologies whitepaper SCADA Safety in Numbers, but we were more interested in a Computerworld article about 50+ vulnerabilties that Sergey and the team had found in WinCC / S7 and related products. These vulnerabilities were to be disclosed at Defcon but were pulled back — and Siemens has had full knowledge of them for months now.

We suggested to Sergey that S4 is an ideal venue to disclose these vulnerabilities and associated tools that Positive Technologies has developed. Personally I’m interested in seeing if any judgements can be made about Siemens coding practices for this product line, and to hear what Siemens response to this will be in the future. As I mentioned earlier, at some point a vendor (and their customers) have to realize the futility of patching a fundamentally flawed product.

The second new presentation is one of the 15-minute quick hits that we are adding to keep S4 lively. Erik Johansson of Management Doctors in Sweden will explain and demonstrate a tool that extracts the password from Siemens S7-400 packet captures. This includes the Level 3 passwords that have the most rights. This presentation is based off of work by Arne Vidström of the Swedish Defence Research Agency (FOI).

If you hadn’t noticed, S4 is very international. It draws the top technical talent, in both speakers and attendees. Here we have a Russian and Swedish presentation. We also have Luigi and Donato from Italy, Arthur Gervais from Germany, Ali Abassi from Iran, and Damiano Bolzoni from the Netherlands on the agenda. Last year 14 countries were present at S4, and we already have attendees registered from 12 countries.

A quick look at the agenda will convince you that this is going to be the most interesting technical ICS security event of all time. Seriously, check it out. The quality and quantity of research has taken a big jump over the last 12 months. And look at the videos from last year to see this event actually provides technical meat.

S4 is a very different event than ICSJWG, WeissCon, SANS, etc. It is very technical and very participative You will see presenters going deep into code, protocols, statistics, theory, … If you are looking for this S4 is the place for you.

It is participative because of the size and layout of the case study rooms and the ethos that has developed at S4 over the last six editions. The Q&A and discussion part of the event (focused on technical and specifically avoiding topics like responsible disclosure, information sharing, IT vs Ops) is an important part of each session. Plus attendees can go on a five minute unsolicited response, participate in the great debate and of course the hallway con and social events.

S4 is not for everyone. S4 doesn’t have overview presentations, SCADASEC 101, policy discussions, etc. These are very useful for a large portion of the ICS community and are handled well by the other events. So make sure you self select wisely because we push the speakers hard to have serious technical content.

Space is limited for the two day S4 Conference, but even more limited for the ICS Advanced Security Training that happens the day before and after S4. The courses vary in size from 20 to 30 students. We have four great training courses available:

Travis Goodspeed will be teaching hardware hacking embedded wireless systems (and you will walk away with some hardware tools)

Billy Rios and Terry McCorkle are reprising their HMI hacking course from last year. This was very popular as the Active X and form field fuzzing techniques, taught on actual HMI, are what Rios/McCorkle used to find the hundreds of HMI vulns

atlas 0f d00m is teaching a course on RfCat. Capturing and analyzing these RF comms is an area that deserves a lot more attention

and a late entry from Luigi Auriemma and Donato Ferrante will teach how to find server side vulns in SCADA software. Luigi will teach the techniques he has used to find a large number of vulnerabilities including looking at encryption and compression in these products.

All the instructors will be at S4 and are just a small sample of the researchers and thought leaders you will meet at the event.

Dale's Tweets

About Us

Digital Bond was founded in 1998 and performed our first control system security assessment in the year 2000. Over the last sixteen years we have helped many asset owners and vendors improve the security and reliability of their ICS, and our S4 events are an opportunity for technical experts and thought leaders to connect and move the ICS community forward.